OpenSSL-based HTTPS service configuration
CA Server: 192.168.75.131
Httpd server: 192.168.75.128
Operating system version: RedHat 6.5 (x_86_64)
1. Install openssl
1. Source Code installation:
Openssl: wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz
# Tar xvf openssl-1.0.0a.tar.gz
# Cd openssl-1.0.0a
#./Config -- prefix =/usr/local/openssl
# Make & make install
2. RPM Installation
Yum install openssl-devel-y
Ii. install Apache
1. Source Code installation httpd reference: Compile and install Apache (httpd-2.4.18)
-- Enable-so # dynamic module support
-- Enable-ssl # enable ssl module support
-- With-ssl =/usr/local/openssl: Use openssl of the compiled version. If this parameter is not specified, use openssl of the rpm version.
Compilation parameters:
. /Configure -- prefix =/usr/local/apache -- enable-so -- enable-ssl -- enable-cgi -- enable-rewrite -- with-zlib -- with-pcre =/usr/local /pcre -- with-apr =/usr/local/apr -- with-apr-util =/usr/local/apr-util -- enable-mpms-shared = all -- with-mpm = event -- enable-proxy-http -- enable-proxy-ajp -- enable-proxy-balancer -- enable-lbmethod-heartbeat -- enable-slotmem-shm -- enable-slotmem-plain -- enable-watchdog -- with-ssl =/usr/local/openssl
2. Install httpd In the RPM package
Mod_ssl module needs to be installed
# Yum install httpd mod_ssl-y
Iii. Self-signed certificate generated by the CA Server (on the CA Server 192.168.75.131)
# Yum install openssl-y
# Cd/etc/pki/CA/
# (Umask 077; openssl genrsa-out private/cakey. pem 2048) # generate a private key
# Ll private/
Total 4
-Rw -------. 1 root 1679 Feb 18 :49 cakey. pem
There are many options to fill in when generating self-signed documents. If you do not want to fill in, you can edit the configuration file and change the default value.
# Cd ../tls/
# Diff openssl. cnf openssl. cnf. orig
130c130
<CountryName_default = CN
---
> CountryName_default = XX
135c135
<StateOrProvinceName_default = GuangDong
---
> # StateOrProvinceName_default = Default Province
138c138
<LocalityName_default = ShenZhen
---
> LocalityName_default = Default City
141c141
<0. organizationName_default = SmallFish Company Ltd
---
> 0. organizationName_default = Default Company Ltd
148c148
<OrganizationalUnitName_default = Tech
---
> # OrganizationalUnitName_default =
# Vim ../tls/openssl. cnf # ensure that the dir is in the/etc/pki/CA directory.
[CA_default]
Dir =/etc/pki/CA # Where everything is kept
# Openssl req-new-x509-key private/cakey. pem-out cacert. pem-days 3665 # generate a self-signed certificate for yourself based on the private key. This certificate can be used by the user
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [ShenZhen]:
Organization Name (eg, company) [SmallFish Company Ltd]: # This must also be the Name of a company issued to someone else.
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []: ca.smallfish.com # send your own certificate
Email Address []: admin@smallfish.com
# Cd/etc/pki/CA/
# Touch index.txt
# Echo 00> serial
# Tree.
.
── Cacert. pem
── Certs
├ ── Crl
── Index.txt
── Newcerts
── Private
│ ── Cakey. pem
── Serial
4. Generate a certificate issuance request on the web server (on 192.168.75.128)
# Cd/usr/local/apache/conf
# Mkdir ssl
# Cd ssl/
# (Umask 077; openssl genrsa 1024> httpd. key) # generate a key
Generating RSA private key, 1024 bit long modulus
... ++
...
E is 65537 (0x10001)
# Ll
Total 4
-Rw -------. 1 root 887 Feb 8 :40 httpd. key
# Openssl req-new-key httpd. key-out httpd. csr # generate a certificate application request
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: CN # The information must be consistent with that of the CA.
State or Province Name (full name) []: GuangDong # The information must be consistent with that of the CA.
Locality Name (eg, city) [Default City]: ShenZhen # The information must be consistent with that of the CA.
Organization Name (eg, company) [Default Company Ltd]: SmallFish Company Ltd # The same company must be entered in the CA certificate. It is better to report an error when generating the Company certificate later.
Organizational Unit Name (eg, section) []: Tech
Common Name (eg, your name or your server's hostname) []: www.vip.com
Email Address []: www.vip.com
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
[Root @ master ssl] #
# Scp httpd. csr 192.168.75.131:/tmp # use a USB flash drive to copy and send emails.
5. the CA server issues a certificate (on the CA Server: 192.168.75.131)
# Openssl ca-in/tmp/httpd. csr-out/tmp/httpd. crt-days 3650 # CA signs the certificate. If the company name is different, an error is returned.
Using configuration from/etc/pki/tls/openssl. cnf
Check that the request matches the signature
Signature OK
The organizationName field needed to be the same in
CA certificate (SmallFish Company Ltd) and the request (vip Ltd)
# Openssl ca-in/tmp/httpd. csr-out/tmp/httpd. crt-days 3650 # CA sign the certificate
Using configuration from/etc/pki/tls/openssl. cnf
Check that the request matches the signature
Signature OK
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 18 10:10:26 2016 GMT
Not After: Feb 15 10:10:26 2026 GMT
Subject:
CountryName = CN
StateOrProvinceName = GuangDong
OrganizationName = SmallFish Company Ltd
OrganizationalUnitName = Tech
CommonName = www.vip.com
EmailAddress = www.vip.com
X509v3 extensions:
X509v3 Basic Constraints:
CA: FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
68: 4F: A6: 95: E8: 65: 0D: FE: 9E: E2: 81: 31: 8A: AF: 69: 3A: 4C: 43: E0: 94
X509v3 Authority Key Identifier:
Keyid: AA: 27: 66: F1: 0F: 7A: 7C: CA: CD: 85: 95: 1F: D5: 92: 5A: 36: 23: FE: 1A: 36
Certificate is to be certified until Feb 15 10:10:26 2026 GMT (3650 days)
Sign the certificate? [Y/n]: y
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
# Cat index.txt
V2602151026z00unknown/C = CN/ST = GuangDong/O = SmallFish Company Ltd/OU = Tech/CN = www.vip.com/emailAddress=www.vip.com
# Cat serial
01
# Tree.
.
── Cacert. pem
── Certs
├ ── Crl
── Index.txt
── Index.txt. attr
── Index.txt. old
── Newcerts
│ ── 00.pem
── Private
│ ── Cakey. pem
── Serial
── Serial. old
4 directories, 8 files
# Scp/tmp/httpd. crt 192.168.75.128:/usr/local/apache/conf/ssl # copy the certificate to the Web server
# Rm/tmp/httpd. crt/tmp/httpd. csr # After the CA server is created, you can delete the web server certificate.
6. Configure openssl on the web server (on 192.168.75.128)
Vim/usr/local/apache/conf/extra/httpd-ssl.conf
<VirtualHost _ default _: 443>
DocumentRoot "/usr/local/apache/htdocs" # The file directory of port 80 is the same, otherwise it is different from the content accessed by port 80.
ServerName www.vip.com: 443
ServerAdmin admin@vip.com
ErrorLog "/usr/local/apache/logs/error_log"
TransferLog "/usr/local/apache/logs/access_log"
SSLEngine on
SSLCertificateFile "/usr/local/apache/conf/ssl/httpd. crt"
SSLCertificateKeyFile "/usr/local/apache/conf/ssl/httpd. key"
# Vim/usr/local/apache/conf/httpd. conf # Open the comment below
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
Include conf/extra/httpd-ssl.conf
#/Usr/local/apache/bin/httpd-t
Syntax OK
# Httpd-M | grep ssl_mod # Check whether ssl_module is supported
Ssl_module (shared)
#/Usr/local/apache/bin/apachectl start
# Lsof-I: 80
Command pid user fd type device size/OFF NODE NAME
Httpd 13445 root 4u IPv6 349321 0t0 TCP *: http (LISTEN)
Httpd 13446 daemon 4u IPv6 349321 0t0 TCP *: http (LISTEN)
Httpd 13447 daemon 4u IPv6 349321 0t0 TCP *: http (LISTEN)
Httpd 13448 daemon 4u IPv6 349321 0t0 TCP *: http (LISTEN)
# Lsof-I: 443
Command pid user fd type device size/OFF NODE NAME
Httpd 13445 root 6u IPv6 349329 0t0 TCP *: https (LISTEN)
Httpd 13446 daemon 6u IPv6 349329 0t0 TCP *: https (LISTEN)
Httpd 13447 daemon 6u IPv6 349329 0t0 TCP *: https (LISTEN)
Httpd 13448 daemon 6u IPv6 349329 0t0 TCP *: https (LISTEN)
VII. Access Verification
1. Add
C: \ WINDOWS \ System32 \ drivers \ etc \ hosts
192.168.85.128 www.vip.com
2. Install the certificate
Copy the certificate (/etc/pki/CA/cacert. pem) from the CA server to the client, rename it as cacert. crt, double-click to run the installation, import it to the browser, and open it in the browser.
3. Access:
Https://www.vip.com/
Http://www.vip.com/
8. Problems Encountered
Question 1:
#/Usr/local/apache2/bin/apachectl start
AH00526: Syntax error on line 51 of/usr/local/apache2/conf/extra/httpd-ssl.conf:
Invalid command 'sslcipherset', perhaps misspelled or defined by a module not supported in the server configuration
Solution 1:
# Vi/usr/local/apache2/conf/httpd. conf
LoadModule ssl_module modules/mod_ssl.so
Question 2:
#/Usr/local/apache2/bin/apachectl start
AH00526: Syntax error on line 76 of/usr/local/apache2/conf/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names:). Maybe you need to load the appropriate socache module (mod_socache_shmcb ?).
Solution 2:
# Vi/usr/local/apache2/conf/httpd. conf
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Question 3:
The countryName field needed to be the same in
CA certificate (cn) and the request (sh)
Solution 3: the country name of the certificate. The province name must be the same.
9. Note:
SSL sessions cannot be distinguished based on host names. The server has only one IP address and can only provide ssl functions for one host. If there are many domain name-based virtual hosts, ssl can only be provided to one of the virtual hosts.
For more information about OpenSSL, see the following links:
Use OpenSSL command line to build CA and Certificate
Install OpenSSL in Ubuntu
Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
Use OpenSSL to generate certificates in Linux
Use OpenSSL to sign multi-domain certificates
Add a custom encryption algorithm to OpenSSL
OpenSSL details: click here
OpenSSL: click here
This article permanently updates the link address: